2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
Provides a set of pluggable authentication policies.
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
|
|
|
|
|
|
|
from django.contrib.auth import authenticate
|
2012-11-22 03:20:49 +04:00
|
|
|
from django.utils.encoding import DjangoUnicodeDecodeError
|
|
|
|
try:
|
|
|
|
from django.utils.encoding import smart_text
|
|
|
|
except ImportError:
|
|
|
|
from django.utils.encoding import smart_unicode as smart_text
|
2012-10-15 17:03:36 +04:00
|
|
|
from rest_framework import exceptions
|
2012-09-20 16:06:27 +04:00
|
|
|
from rest_framework.compat import CsrfViewMiddleware
|
|
|
|
from rest_framework.authtoken.models import Token
|
|
|
|
import base64
|
|
|
|
|
|
|
|
|
|
|
|
class BaseAuthentication(object):
|
|
|
|
"""
|
|
|
|
All authentication classes should extend BaseAuthentication.
|
|
|
|
"""
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
Authenticate the request and return a two-tuple of (user, token).
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
raise NotImplementedError(".authenticate() must be overridden.")
|
2012-09-20 16:06:27 +04:00
|
|
|
|
|
|
|
|
|
|
|
class BasicAuthentication(BaseAuthentication):
|
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
HTTP Basic authentication against username/password.
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""
|
|
|
|
Returns a `User` if a correct username and password have been supplied
|
|
|
|
using HTTP Basic authentication. Otherwise returns `None`.
|
|
|
|
"""
|
|
|
|
if 'HTTP_AUTHORIZATION' in request.META:
|
|
|
|
auth = request.META['HTTP_AUTHORIZATION'].split()
|
|
|
|
if len(auth) == 2 and auth[0].lower() == "basic":
|
|
|
|
try:
|
2012-11-22 05:08:00 +04:00
|
|
|
auth_parts = base64.b64decode(auth[1].encode('utf8')).decode('utf8').partition(':')
|
2012-09-20 16:06:27 +04:00
|
|
|
except TypeError:
|
|
|
|
return None
|
|
|
|
|
|
|
|
try:
|
2012-11-22 03:20:49 +04:00
|
|
|
userid = smart_text(auth_parts[0])
|
|
|
|
password = smart_text(auth_parts[2])
|
2012-09-20 16:06:27 +04:00
|
|
|
except DjangoUnicodeDecodeError:
|
|
|
|
return None
|
|
|
|
|
|
|
|
return self.authenticate_credentials(userid, password)
|
|
|
|
|
|
|
|
def authenticate_credentials(self, userid, password):
|
|
|
|
"""
|
|
|
|
Authenticate the userid and password against username and password.
|
|
|
|
"""
|
|
|
|
user = authenticate(username=userid, password=password)
|
|
|
|
if user is not None and user.is_active:
|
|
|
|
return (user, None)
|
|
|
|
|
|
|
|
|
|
|
|
class SessionAuthentication(BaseAuthentication):
|
|
|
|
"""
|
|
|
|
Use Django's session framework for authentication.
|
|
|
|
"""
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
Returns a `User` if the request session currently has a logged in user.
|
|
|
|
Otherwise returns `None`.
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2012-10-10 19:36:25 +04:00
|
|
|
|
|
|
|
# Get the underlying HttpRequest object
|
|
|
|
http_request = request._request
|
|
|
|
user = getattr(http_request, 'user', None)
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2012-10-15 17:03:36 +04:00
|
|
|
# Unauthenticated, CSRF validation not required
|
|
|
|
if not user or not user.is_active:
|
|
|
|
return
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2012-10-15 17:03:36 +04:00
|
|
|
# Enforce CSRF validation for session based authentication.
|
|
|
|
class CSRFCheck(CsrfViewMiddleware):
|
|
|
|
def _reject(self, request, reason):
|
|
|
|
# Return the failure reason instead of an HttpResponse
|
|
|
|
return reason
|
|
|
|
|
|
|
|
reason = CSRFCheck().process_view(http_request, None, (), {})
|
|
|
|
if reason:
|
|
|
|
# CSRF failed, bail with explicit error message
|
|
|
|
raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
|
|
|
|
|
|
|
|
# CSRF passed with authenticated user
|
|
|
|
return (user, None)
|
2012-09-20 16:06:27 +04:00
|
|
|
|
|
|
|
|
|
|
|
class TokenAuthentication(BaseAuthentication):
|
|
|
|
"""
|
|
|
|
Simple token based authentication.
|
|
|
|
|
|
|
|
Clients should authenticate by passing the token key in the "Authorization"
|
|
|
|
HTTP header, prepended with the string "Token ". For example:
|
|
|
|
|
|
|
|
Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a
|
|
|
|
"""
|
|
|
|
|
|
|
|
model = Token
|
|
|
|
"""
|
|
|
|
A custom token model may be used, but must have the following properties.
|
|
|
|
|
|
|
|
* key -- The string identifying the token
|
|
|
|
* user -- The user to which the token belongs
|
|
|
|
"""
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
auth = request.META.get('HTTP_AUTHORIZATION', '').split()
|
|
|
|
|
|
|
|
if len(auth) == 2 and auth[0].lower() == "token":
|
|
|
|
key = auth[1]
|
|
|
|
try:
|
|
|
|
token = self.model.objects.get(key=key)
|
|
|
|
except self.model.DoesNotExist:
|
|
|
|
return None
|
|
|
|
|
2012-10-09 12:57:31 +04:00
|
|
|
if token.user.is_active:
|
2012-09-20 16:06:27 +04:00
|
|
|
return (token.user, token)
|
|
|
|
|
|
|
|
# TODO: OAuthAuthentication
|